Allow containerized undercloud deploy with SELinux

When SELinux is enforcing, use the docker volume mount flag
:z for the docker-puppet tool's bind-mounted volumes in RW mode.
Note, if a volume mount with a Z, then the label will be specific
to the container, and not be able to be shared between containers.

Volumes from /etc/pki mounted RO do not require the context changes.
For those RO volumes that do require it, use :ro,z.

For deploy-steps, make sure ansible file resources in /var/lib/
are enforced the same SELinux context attributes what docker's :z
provides.

Partial-bug: #1682179
Related-bug: #1723003

Change-Id: Idc0caa49573bd88e8410d3d4217fd39e9aabf8f2
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
This commit is contained in:
Bogdan Dobrelya 2017-10-20 11:00:18 +02:00
parent 3b17b3fccd
commit 1fc9285125
3 changed files with 24 additions and 8 deletions

View File

@ -219,12 +219,12 @@ resources:
- -
# Write the manifest for baremetal puppet configuration # Write the manifest for baremetal puppet configuration
- name: Create /var/lib/tripleo-config directory - name: Create /var/lib/tripleo-config directory
file: path=/var/lib/tripleo-config state=directory file: path=/var/lib/tripleo-config state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true
- name: Write the puppet step_config manifest - name: Write the puppet step_config manifest
copy: content="{{ '{{' }}puppet_step_config{{ '}}' }}" dest=/var/lib/tripleo-config/puppet_step_config.pp force=yes mode=0600 copy: content="{{ '{{' }}puppet_step_config{{ '}}' }}" dest=/var/lib/tripleo-config/puppet_step_config.pp force=yes mode=0600
# this creates a JSON config file for our docker-puppet.py script # this creates a JSON config file for our docker-puppet.py script
- name: Create /var/lib/docker-puppet - name: Create /var/lib/docker-puppet
file: path=/var/lib/docker-puppet state=directory file: path=/var/lib/docker-puppet state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true
- name: Write docker-puppet-tasks json files - name: Write docker-puppet-tasks json files
copy: content="{{ '{{' }}puppet_config | to_json{{ '}}' }}" dest=/var/lib/docker-puppet/docker-puppet.json force=yes mode=0600 copy: content="{{ '{{' }}puppet_config | to_json{{ '}}' }}" dest=/var/lib/docker-puppet/docker-puppet.json force=yes mode=0600
# FIXME: can we move docker-puppet somewhere so it's installed via a package? # FIXME: can we move docker-puppet somewhere so it's installed via a package?
@ -241,7 +241,7 @@ resources:
copy: content="{{ '{{' }}item.value|to_json{{ '}}' }}" dest="/var/lib/tripleo-config/docker-container-startup-config-{{ '{{' }}item.key{{ '}}' }}.json" force=yes mode=0600 copy: content="{{ '{{' }}item.value|to_json{{ '}}' }}" dest="/var/lib/tripleo-config/docker-container-startup-config-{{ '{{' }}item.key{{ '}}' }}.json" force=yes mode=0600
with_dict: "{{ '{{' }}docker_startup_configs{{ '}}' }}" with_dict: "{{ '{{' }}docker_startup_configs{{ '}}' }}"
- name: Create /var/lib/kolla/config_files directory - name: Create /var/lib/kolla/config_files directory
file: path=/var/lib/kolla/config_files state=directory file: path=/var/lib/kolla/config_files state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true
- name: Write kolla config json files - name: Write kolla config json files
copy: content="{{ '{{' }}item.value|to_json{{ '}}' }}" dest="{{ '{{' }}item.key{{ '}}' }}" force=yes mode=0600 copy: content="{{ '{{' }}item.value|to_json{{ '}}' }}" dest="{{ '{{' }}item.key{{ '}}' }}" force=yes mode=0600
with_dict: "{{ '{{' }}kolla_config{{ '}}' }}" with_dict: "{{ '{{' }}kolla_config{{ '}}' }}"

View File

@ -273,10 +273,10 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
'--env', 'HOSTNAME=%s' % short_hostname(), '--env', 'HOSTNAME=%s' % short_hostname(),
'--env', 'NO_ARCHIVE=%s' % os.environ.get('NO_ARCHIVE', ''), '--env', 'NO_ARCHIVE=%s' % os.environ.get('NO_ARCHIVE', ''),
'--env', 'STEP=%s' % os.environ.get('STEP', '6'), '--env', 'STEP=%s' % os.environ.get('STEP', '6'),
'--volume', '%s:/etc/config.pp:ro' % tmp_man.name, '--volume', '%s:/etc/config.pp:ro,z' % tmp_man.name,
'--volume', '/etc/puppet/:/tmp/puppet-etc/:ro', '--volume', '/etc/puppet/:/tmp/puppet-etc/:ro,z',
'--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro', '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro,z',
'--volume', '%s:/var/lib/config-data/:rw' % os.environ.get('CONFIG_VOLUME_PREFIX', '/var/lib/config-data'), '--volume', '%s:/var/lib/config-data/:z' % os.environ.get('CONFIG_VOLUME_PREFIX', '/var/lib/config-data'),
'--volume', 'tripleo_logs:/var/log/tripleo/', '--volume', 'tripleo_logs:/var/log/tripleo/',
# Syslog socket for puppet logs # Syslog socket for puppet logs
'--volume', '/dev/log:/dev/log', '--volume', '/dev/log:/dev/log',
@ -286,7 +286,7 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
'--volume', '/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro', '--volume', '/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro',
'--volume', '/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro', '--volume', '/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro',
# script injection # script injection
'--volume', '%s:%s:rw' % (sh_script, sh_script) ] '--volume', '%s:%s:z' % (sh_script, sh_script) ]
for volume in volumes: for volume in volumes:
if volume: if volume:

View File

@ -0,0 +1,16 @@
---
upgrade: &notes
- |
The configuration management related directories managed by the
tripleo deployment tools and bind-mounted as docker volumes now
using the `:z` flag, which is a docker's equivalent for
`chcon -Rt svirt_sandbox_file_t -l s0`. This makes those
directories available for all containers on the host, in the
shared mode: `/var/lib/tripleo-config`, `/var/lib/docker-puppet`,
`/var/lib/kolla/config`, `/etc/puppet`,
`/usr/share/openstack-puppet/modules/`, `/var/lib/config-data`.
security: *notes
fixes:
- |
Allow containerized services to be executed on hosts with SELinux
in the enforcing mode.